No, it's because the files are changing. Find out what's changing motd. Does your message of the day regularly change (update information on outages or something)? If so, you can probably put an ignore in for it.
On Wed, Sep 28, 2011 at 9:08 AM, AlgoBoy <[email protected]> wrote: > My bad, I think these integrity errors mainly happen because I'm not > restarting ossec i.e. ossec-control stop and start. > > On Sep 28, 5:59 pm, AlgoBoy <[email protected]> wrote: >> OSSEC HIDS Notification. >> 2011 Sep 22 09:15:57 >> >> Received From: ip-10-251-134-240->syscheck >> Rule: 551 fired (level 7) -> "Integrity checksum changed again (2nd >> time)." >> Portion of the log(s): >> >> Integrity checksum changed for: '/etc/motd' >> Old md5sum was: 'dcf4d83bef51a84bbe48b9b5a38b60fe' >> New md5sum is : 'c7bafef836545ad7dd22420ef72426dd' >> Old sha1sum was: '6ad7cfd6e6d4e3e0240703656ba76562cc404318' >> New sha1sum is : 'b5a6bae623ecf99e140de7550d15b62f59c2fd7c' >> >> On Sep 28, 5:28 pm, "dan (ddp)" <[email protected]> wrote: >> >> >> >> >> >> >> >> > On Wed, Sep 28, 2011 at 6:37 AM, AlgoBoy <[email protected]> wrote: >> > > I found in my /etc/passwd file that there are three "extra" users that >> > > cannot login but are listed. >> >> > > ossec >> >> > This is the ossec user. ossec-analysisd runs as this user (in a chroot >> > to /var/ossec (by default, you may have chosen something different >> > during installation)). This helps prevent (possible) flaws in >> > ossec-analysisd from leading to root compromise. >> >> > > ossecm >> >> > This is the ossec output user. Originally it was responsible for only >> > the ossec-maild, hence the m. Now it's responsible for ossec-dbd and >> > ossec-csyslogd as well. >> >> > > ossecr >> >> > This is for ossec-remoted. >> >> > Here's it is in a nutshell: >> >> > ossecm 22761 /var/ossec/bin/ossec-dbd >> > ossecm 1782 /var/ossec/bin/ossec-csyslogd >> > root 20565 /var/ossec/bin/ossec-execd >> > ossec 1365 /var/ossec/bin/ossec-analysisd >> > root 24076 /var/ossec/bin/ossec-logcollector (ossec-logcollect) >> > ossecr 29685 /var/ossec/bin/ossec-remoted >> >> > > What are these for? I know they are attached to the Ossec HIDs >> > > software but can anyone explain what these users are for? I think they >> > > might be the reason I keep getting checksum rule fires from Ossec >> > > itself. >> >> > No, they most likely are not the reason. Which files are changing? >
